Compare commits
2 Commits
Testuji
...
7b982b34c9
| Author | SHA1 | Date | |
|---|---|---|---|
| 7b982b34c9 | |||
| 2e64fb124f |
15
.vscode/launch.json
vendored
Normal file
15
.vscode/launch.json
vendored
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
{
|
||||||
|
// Use IntelliSense to learn about possible attributes.
|
||||||
|
// Hover to view descriptions of existing attributes.
|
||||||
|
// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
|
||||||
|
"version": "0.2.0",
|
||||||
|
"configurations": [
|
||||||
|
{
|
||||||
|
"name": "PowerShell: Launch Current File",
|
||||||
|
"type": "PowerShell",
|
||||||
|
"request": "launch",
|
||||||
|
"script": "${file}",
|
||||||
|
"args": []
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
@@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
<#PSScriptInfo
|
<#PSScriptInfo
|
||||||
|
|
||||||
.VERSION 1.00
|
.VERSION 1.01
|
||||||
|
|
||||||
.GUID 14e0e777-6ba8-4f3f-b914-53c62e0a72aa
|
.GUID 14e0e777-6ba8-4f3f-b914-53c62e0a72aa
|
||||||
|
|
||||||
@@ -39,6 +39,8 @@
|
|||||||
Updated by Jordan Borean <jborean93@gmail.com>
|
Updated by Jordan Borean <jborean93@gmail.com>
|
||||||
Updated by Erwan Quélin <erwan.quelin@gmail.com>
|
Updated by Erwan Quélin <erwan.quelin@gmail.com>
|
||||||
Updated by David Norman <david@dkn.email>
|
Updated by David Norman <david@dkn.email>
|
||||||
|
Version 1.01 - Fixed issue with HTTPS when certificate in HTTPS listener doesn't match the cert in local store
|
||||||
|
Updated by Michal Horák
|
||||||
#>
|
#>
|
||||||
|
|
||||||
<#
|
<#
|
||||||
@@ -595,7 +597,31 @@ Function Run
|
|||||||
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Skipping changes in registry for LocalAccountTokenFilterPolicy.")
|
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Skipping changes in registry for LocalAccountTokenFilterPolicy.")
|
||||||
}
|
}
|
||||||
#--------------------------------------------------------------------------------------------------
|
#--------------------------------------------------------------------------------------------------
|
||||||
if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable" -and $CFG.SelfCertForce.ToLower() -eq "enable" )
|
# Get WinRM HTTPS listener thumbprint
|
||||||
|
|
||||||
|
$winrmOutput = winrm e winrm/config/listener
|
||||||
|
$winrmThumbprint = ($winrmOutput | Where-Object { $_ -match 'CertificateThumbprint' }) -replace '.*CertificateThumbprint\s*=\s*', ''
|
||||||
|
|
||||||
|
|
||||||
|
# Get local self-signed certificate thumbprint (adjust subject name as needed)
|
||||||
|
$DN = $env:COMPUTERNAME
|
||||||
|
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
|
||||||
|
$_.Subject -like "*CN=$DN*" -and $_.Issuer -eq $_.Subject
|
||||||
|
}
|
||||||
|
$localThumbprint = $cert.Thumbprint
|
||||||
|
|
||||||
|
# Compare the thumbprints
|
||||||
|
if ($localThumbprint -contains $winrmThumbprint)
|
||||||
|
{
|
||||||
|
$certisinwinrm = "yes"
|
||||||
|
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is used in WinRM HTTPS listener.")
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{$certisinwinrm = "no"
|
||||||
|
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is not used in WinRM HTTPS listener.")
|
||||||
|
}
|
||||||
|
|
||||||
|
if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable" -and $CFG.SelfCertForce.ToLower() -eq "enable" -or $certisinwinrm -eq "no" )
|
||||||
{
|
{
|
||||||
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Forcing SSL Self-Certificate reissuing, and recreating WinRM HTTPS listener.")
|
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Forcing SSL Self-Certificate reissuing, and recreating WinRM HTTPS listener.")
|
||||||
try
|
try
|
||||||
|
|||||||
19
ConfigWinRM.xml
Normal file
19
ConfigWinRM.xml
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<ConfigWinRM>
|
||||||
|
<Options>
|
||||||
|
<LocalAccountTokenFilterPolicy>Enable</LocalAccountTokenFilterPolicy> <!-- Enable / Disable / Leave ( do nothing ) -->
|
||||||
|
<WinRMHTTP>Leave</WinRMHTTP> <!-- Enable ( Create ) / Disable ( Remove ) / Leave ( do nothing ) Win-RM HTTP Listener -->
|
||||||
|
<WinRMHTTPS>Enable</WinRMHTTPS> <!-- Enable ( Create ) / Disable ( Remove ) / Leave ( do nothing ) Win-RM HTTPS Listener -->
|
||||||
|
<FWWinRMHTTP>Leave</FWWinRMHTTP> <!-- Enable ( Enable or Create ) / Disable / Leave ( do nothing ) Win-RM HTTP firewall rule -->
|
||||||
|
<FWWinRMHTTPS>Enable</FWWinRMHTTPS> <!-- Enable ( Enable or Create ) / Disable / Leave ( do nothing ) Win-RM HTTPS firewall rule -->
|
||||||
|
<FWWinRMTrustedHosts>192.168.10.254</FWWinRMTrustedHosts> <!-- Host(s) that are allowed in local firewall configuration - Any / X.X.X.X - WinRM-(HTTPS-In) / Windows Remote Management (HTTPS-In) -->
|
||||||
|
<SelfCertForce>False</SelfCertForce> <!-- (Enable or False) Force issuing new self-signed certificate when old one exists and use for WinRM-HTTPS -->
|
||||||
|
<SelfCertValidityDays>1460</SelfCertValidityDays> <!-- Self-certificate validity for XX Days. 1460 - 4 years. -->
|
||||||
|
<BasicAuth>Disable</BasicAuth> <!-- Enable / Disable / Leave ( as ist ) -->
|
||||||
|
<KerberosAuth>Enable</KerberosAuth> <!-- Enable / Disable / Leave ( as ist ) -->
|
||||||
|
<CredSSPAuth>Enable</CredSSPAuth> <!-- Enable / Disable / Leave ( as ist ) -->
|
||||||
|
<DigestAuth>Leave</DigestAuth> <!-- Enable / Disable / Leave ( as ist ) -->
|
||||||
|
<NegotiateAuth>Leave</NegotiateAuth> <!-- Enable / Disable / Leave ( as ist ) Do NOT use, do NOT disable !!! :-) -->
|
||||||
|
<CertificateAuth>Leave</CertificateAuth> <!-- Enable / Disable / Leave ( as ist ) -->
|
||||||
|
</Options>
|
||||||
|
</ConfigWinRM>
|
||||||
Reference in New Issue
Block a user